<div dir="ltr">Thank you Craig and Martin for your useful input.<div><br></div><div>You both definitely recommend not to use <a href="http://example.com">example.com</a> for the internal IPA DNS. </div><div><br></div><div>I was in any case going to avoid .local suffix and any invented top-level domain, after some reading on this topic.</div><div><br></div><div>Using a subdomain like <a href="http://internal.example.com">internal.example.com</a> seems reasonable. </div><div>I was under the impression that the freeIPA domain needed to be a top-level one, but maybe I was wrong here? Can I still keep <a href="http://example.com">example.com</a> outside and have freeIPA manage <a href="http://internal.example.com">internal.example.com</a>?<br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 4 February 2015 at 10:34, Martin Basti <span dir="ltr"><<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div><div class="h5">
<div>On 03/02/15 16:52, Craig White wrote:<br>
</div>
<blockquote type="cite">
<div>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a href="mailto:freeipa-users-bounces@redhat.com" target="_blank">freeipa-users-bounces@redhat.com</a>
[<a href="mailto:freeipa-users-bounces@redhat.com" target="_blank">mailto:freeipa-users-bounces@redhat.com</a>]
<b>On Behalf Of </b>Roberto Cornacchia<br>
<b>Sent:</b> Tuesday, February 03, 2015 5:20 AM<br>
<b>To:</b> <a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a><br>
<b>Subject:</b> [Freeipa-users] basic question on DNS
configuration<u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">Hi guys,<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">I can't wait to get freeIPA installed
in our small enterprise, but I'd first like to get a
couple of basic things straight. <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">My first doubt is about the DNS
configuration. Currently, we use a setting that I guess is
rather common for small enterprises:<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">We own an <a href="http://example.com" target="_blank">example.com</a> domain which
is managed by the DNS of an external provider. <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">A couple of subdomains point to public
IP addresses outside our local network (e.g.
<a href="http://www.example.com" target="_blank">www.example.com</a>
is hosted at our internet provider,
<a href="http://server1.example.com" target="_blank">server1.example.com</a>
points at a server hosted in a datacenter, etc).<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">All the remaining subdomain (*.<a href="http://example.com" target="_blank">example.com</a>)
point at one IP which corresponds to our local router. <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">Then we use some simple forwarding
rules to forward on to machines that are behind the router
(<a href="http://service1.example.com" target="_blank">service1.example.com</a>,
<a href="http://desktop1.example.com" target="_blank">desktop1.example.com</a>,
<a href="http://desktop2.example.com" target="_blank">
desktop2.example.com</a>, etc).<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Internally, because the enterprise is
rather small, we are not using a DNS, but simply
/etc/hosts files on each machine. When they can't resolve
<a href="http://whatever.example.com" target="_blank">whatever.example.com</a>,
then the request goes to the external DNS.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">(sorry about the long-ish background
information, probably this configuration is commonly named
somehow, but I don't know how)<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Now, a first simple question for you
guys would be: <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">When installing freeIPA, with DNS, is
the network configuration above still advisable? Can there
be any problem? Or should I rather use a different domain
for the internal network (I would really NOT like this
option, but I'm very interested to know why I should, if
that is the case).<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">A second basic question is:<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">Would you see any potential problem in
installing freeIPA on a FC21 Server which currently hosts
Atlassian Jira + Atlassian Stash (therefore git
repositories) + the required mysql databases?<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">My guess would be that they would not
interfere, as:<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">- httpd (and related ports) is
currently unused)<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">- Both Jira and Stash use thier own
tomcat installation on custom ports<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">- mysql shouldn't be a problem?<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">- The machine isn't overloaded at all
(4-5 developers use those services)<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Am I overlooking something? Obviously
I'd rather have a dedicated freeIPA server, but if the
above mentioned coexistence isn't a problem, then this
would be more cost-effective.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Thank you very much for your help, I'm
looking forward to this upgrade.<u></u><u></u></p>
</div>
<div>
<div style="border:none;border-bottom:solid windowtext 1.0pt;padding:0in 0in 1.0pt 0in">
<p class="MsoNormal" style="border:none;padding:0in">Roberto<u></u><u></u></p>
</div>
</div>
<div>
<p class="MsoNormal"><span style="color:#1f497d">I would
recommend that you create a ‘local’ domain for your
internal LAN though you certainly can use your domain
name for both the internal LAN and the external world.
Obviously you would have to create ‘manual’ entries in
DNS for the external servers (like <a href="http://www.example.com" target="_blank">www.example.com</a>)
so your internal LAN systems can resolve it. If you have
a ‘local’ domain for your internal LAN, there aren’t
name collisions, no need to manually maintain DNS
entries for off-LAN servers and no confusion of
essentially faking your LAN systems into believing that
the IPA server is authoritative for <a href="http://example.com" target="_blank">example.com</a> domain
when the rest of the world thinks otherwise. The choice
is yours.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d">As for
using F21 – you get the latest version of FreeIPA which
is something I wish I had here.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d">Git / Stash
/ Jira represent a fairly hefty memory footprint even if
there isn’t that much CPU load. If you have the RAM and
cpu cores to handle tossing FreeIPA onto the stack, go
for it. You probably will want a replica too as the
replica keeps your LAN running if the primary server is
unavailable for whatever reason and it minimizes backup
needs substantially.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d">Craig</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote></div></div>
Hello,<br>
<br>
For using 'local.' domain please read following message, to avoid
issues on Fedora:<br>
<a href="https://www.redhat.com/archives/freeipa-users/2015-February/msg00010.html" target="_blank">https://www.redhat.com/archives/freeipa-users/2015-February/msg00010.html</a><br>
<br>
You cant use '<a href="http://example.com" target="_blank">example.com</a>' zone for internal IPA DNS.<br>
<br>
You can create your internal sub zone, like '<a href="http://internal.example.com" target="_blank">internal.example.com</a>',
'<a href="http://corp.example.com" target="_blank">corp.example.com</a>', where IPA managed hosts will be added. It is
preferred solution instead of creating '.local' hostnames. Then you
can set up global forwarder on IPA DNS to your external DNS, where
other names than '<a href="http://internal.example.com" target="_blank">internal.example.com</a>' will be resolved.<br>
<br>
If I understand correctly, it is internal network, so you do not
need public resolvable domain names.<span class="HOEnZb"><font color="#888888"><br>
<pre cols="72">--
Martin Basti</pre>
</font></span></div>
</blockquote></div><br></div>